I thought it would be a good idea to use a Live CD of Ubuntu to do all my financial transactions online, I figure thats the safest way since any virus/trojan cannot infect the Live CD?

Just one question, how safe is it to use Linux as a whole for this kind of use?
(I mean, Linux and all the apps are open source and written by just about anybody, so how can I be sure that even the Ubuntu Live CD doesnt have any sort of keylogger etc installed? After all, with so many lines of code, I'm sure someone could have sneaked in something like that?)

I don't know if I'm being paranoid, but it would help if someone has answers or links talking about this specific aspect? Also, is there a geek-word for such "sneaking in of malicious software" (apart from "trojan" of course :)

5 Answers
5

With a smaller open source project written almost exclusively by 1-2 people, there is some risk that they can hide something. But with big, well-known and well-tested software such as the Linux kernel, Firefox, and most packages which are a default part of a big distribution, you can be reasonably sure that lots of independent eyes have seen every line of code. You're probably more at risk of a rogue Microsoft employee sneaking in a keylogger into Windows just before a deadline.

The second point is, Linux isn't more secure just because there is fewer Linux malware written. It was designed with a better security model. With Windows, almost everybody ran as admin up to Win XP, and because of the UAC usability disaster in Vista, most people just continue this today, even on 7. The point of running as non-admin isn't to save you from yourself - if it is your own PC, it'll ask you for admin password for deleting System32 and you'll provide it - but that software processes started while you're running as non-admin don't have admin rights, so they are barred from anything the non-admin user is barred from. Besides, there are additional security mechansims built into operation systems, but many such were built into Windows later than their Linux counterparts, and recent studies show that third-party software doesn't use them. Link

And besides, you are not the first who thought of it. A big computer magazine in Germany, c't, actually regularly provides a "banking CD" with its magazine. It is just as you described, a LiveCD based on Ubuntu with some branding. I don't know if they provide specific tools on it too, but if you think that it is more secure than a "common" Ubuntu LiveCD, you could order a past issue with that CD from heise.de. Personally, I wouldn't bother and just take the LiveCD of some big distro.

I mean, Linux and all the apps are
open source and written by just about
anybody

OSS programs may be written by anyone and everyone, but that doesn't mean I make a no-name app and it will be featured in the LiveCD. There are rules, standards and procedures to be adhered to, if I need an app to be featured in the LiveCD and something won't be featured "just like that". Getting the keylogger to start with the LiveCD will mean that upstart scripts will need to be tampered with, and I can tell you nobody's going to miss this.

You can be sure Linux doesn't have any keyloggers or other malware BECAUSE it's open source. You are free to go through every source file and check it yourself - I read quite a bit of the source. Canonical (Ubuntu) doesn't just put anyone's random script in without looking at it. I work on an open source project and if something was inserted, we would know. New things almost always break old things. We look at what comes up when the OS is booting, and we know which processes should be running.

Closed source, on the other hand, could have a million "features" you'll never know about.

Starting from a Linux Boot CD will mean that none of the malware you may have on your computer is going to run, and nothing that you enter into your browser will be stored anywhere on your computer once your ram is cleared out. Does that mean you are completely safe? No. Maybe someone is collecting packets between you and the bank and knows how to get around https encryption. Maybe someone at the bank is doing things on that end.

Infections by keyloggers and the like are a very real threat, and booting from a Live CD gives you a nice blank slate every time.
The vast majority of all virusses and malware are targeted at Windows systems, so with Linux, you no longer have to worry about those.

As you mentioned, Open Source development involves a lot of people collaborating to make projects like Ubuntu possible, but it also means there's a lot of peer review and testing.

If someone really did try to sneak something malicious into a program that's included on the Live CD, surely it would have been caught by the many other people involved in these projects.

After all, 700 MB is not a lot of room to work with and only the best and most important applications are approved to be shipped with the Live CD.

For some further reading, security expert Brian Krebs wrote an article about banking with an Ubuntu Live cd for the Washington Post last year: link.